b"DEPARTMENT OF HOMELAND SECURITY\n`\n\n\n     Office of Inspector General\n\n\n    Progress Has Been Made But More Work \n\n     Remains in Meeting Homeland Security \n\n     Presidential Directive 12 Requirements \n\n\n\n\n\nOIG-08-01                      October 2007\n                                              1\n\x0c                                                                       Office of Inspector General\n\n                                                                       U.S. Department of Homeland Security\n                                                                       Washington, DC 20528\n\n\n\n\n                                      October 15, 2007\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our\noversight responsibilities to promote economy, efficiency, and effectiveness within the department.\n\nThis report addresses the progress DHS has made and the actions needed to comply with Homeland\nSecurity Presidential Directive 12 and implement Federal Information Processing Standards 201\nrequirements. It is based on interviews with employees and officials of relevant agencies and\ninstitutions, direct observations, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our office, and\nhave been discussed in draft with those responsible for implementation. It is our hope that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                             Richard L. Skinner \n\n                                             Inspector General \n\n\x0cTable of Contents/Abbreviations \n\n\n  Executive Summary ...................................................................................................................1 \n\n\n  Background ................................................................................................................................2 \n\n\n  Results of Audit .........................................................................................................................4 \n\n\n       Actions Taken To Implement HSPD-12 ..........................................................................4 \n\n\n       Better Management of HSPD-12 Implementation Is Needed ........................................7 \n\n         DHS Is Behind In Its Implementation Schedule and May Not Meet OMB \n\n         Milestones .......................................................................................................................7 \n\n         Requirements for PIV Card Usage Have Not Been Determined ....................................8 \n\n         Costs to Implement HSPD-12 Have Not Been Assessed................................................9 \n\n         Agency Head Has Not Accredited PIV-I Processes .....................................................10 \n\n         PCI Services Must Be Re-accredited ............................................................................10 \n\n         Component Implementation Guidance Needs to be Updated .......................................12 \n\n         PIV Card Issuance Statistics Not Posted on Public Website ........................................13 \n\n\n       DHS Is Not Ready to Issue HSPD-12 Compliant Cards ..............................................14 \n\n         PMO Needs to Bring Headquarters System to Production Readiness..........................14 \n\n         Certification of ICISS Was Inadequate and Not Independent ......................................15 \n\n\n       Recommendations..............................................................................................................16\n\n       Management Comments and OIG Analysis .....................................................................17 \n\n\n\nAppendices\n  Appendix A:            Purpose, Scope, and Methodology .................................................................19 \n\n  Appendix B:            Management Comments to the Draft Report ................................................20 \n\n  Appendix C:            Example of a PIV Card ..................................................................................26 \n\n  Appendix D:            OMB Form I-9 Lists of Acceptable Documents ............................................27 \n\n  Appendix E:            Major Contributors to this Report ..................................................................28 \n\n  Appendix F:            Report Distribution.........................................................................................29 \n\n\n\n\n\n   Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\x0cTable of Contents/Abbreviations \n\n\nAbbreviations\n\n  DHS                Department of Homeland Security\n  FIPS               Federal Information Processing Standards\n  GSA                General Services Administration\n  HSPD-12            Homeland Security Presidential Directive 12\n  ICISS              Identification and Credential Issuing Station and System\n  NIST               National Institute of Standards and Technology\n  OCIO               Office of the Chief Information Officer\n  OIG                Office of Inspector General\n  OMB                Office of Management and Budget\n  PCI                Personal Identity Verification Card Issuer\n  PIN                Personal Identification Number\n  PIV                Personal Identity Verification\n  PMO                Program Management Office\n  SP                 Special Publication\n\n\n\n\n   Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\x0cOIG \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                          We audited the Department of Homeland Security to determine whether the\n                          department has effectively managed the implementation of Homeland Security\n                          Presidential Directive 12 (HSPD-12). HSPD-12 requires the development and\n                          agency implementation of a mandatory, government-wide standard for secure\n                          and reliable forms of identification for federal employees and contractors. We\n                          determined whether the department\xe2\x80\x99s HSPD-12 implementation plan is\n                          adequate; policies and procedures to implement HSPD-12 requirements are\n                          adequate; and security controls implemented to protect the privacy of personal\n                          data collected and processed by HSPD-12 systems are effective.\n\n                          The department has taken some actions to implement HSPD-12 requirements.\n                          For example, the department has established a Program Management Office to\n                          provide guidance and logistic support to implement HSPD-12 requirements at\n                          its headquarters and components. The Program Management Office developed\n                          a three-phase implementation plan and a procedures reference book that\n                          documents the processes to enroll applicants and issue credentials. Further, the\n                          Program Management Office prepared a privacy impact assessment providing\n                          details about personally identifiable information collected for issuing\n                          credentials. The privacy impact assessment described how the information\n                          may be accessed and how it will be securely stored. Furthermore, an HSPD-12\n                          Council was established to facilitate the implementation of HSPD-12\n                          throughout the department.\n\n                          While the completion of these tasks helps the Department of Homeland\n                          Security fulfill some of its HSPD-12 requirements, more work remains. The\n                          department must devote further attention to ensure that it meets Office of\n                          Management and Budget established time frames for issuing HSPD-12\n                          compliant cards to its employees and contractors. For example, the department\n                          is not scheduled to complete its HSPD-12 implementation until 2010, which is\n                          2 years after the Office of Management and Budget\xe2\x80\x99s mandated deadline for all\n                          agencies. The department is also experiencing delays in implementing a\n                          technical solution and issuing compliant cards to its employees and\n                          contractors. In addition, the department has not assessed the total cost to\n                          implement HSPD-12 across the department and has not identified which\n                          facilities will require compliant cards in order to gain physical access, nor has\n                          it determined whether they will also be used for accessing information\n                          systems. Finally, the department must certify and accredit the headquarters\n                          and each component\xe2\x80\x99s personal identity verification card issuer service, as well\n                          as the information system that supports the service prior to implementation.\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                      Page 1\n\x0c                            We are making seven recommendations to the Under Secretary for\n                            Management. While the department agreed to six of the recommendations, it\n                            did not concur with our recommendation to report its card issuance statistics on\n                            DHS\xe2\x80\x99 website. The department\xe2\x80\x99s response is summarized and evaluated in the\n                            body of this report and included, in its entirety, as Appendix B.\n\nBackground\n                            On August 27, 2004, the President of the United States issued Homeland\n                            Security Presidential Directive 12 (HSPD-12), Policy for a Common\n                            Identification Standard for Federal Employees and Contractors. The purpose\n                            of HSPD-12 is to enhance security, increase government efficiency, reduce\n                            identity fraud, and protect personal privacy by establishing a mandatory,\n                            government-wide standard for secure and reliable forms of identification\n                            issued by the federal government to its employees and contractors (including\n                            contractor employees). In addition, HSPD-12 requires the Department of\n                            Commerce to promulgate a common standard for identification credentials,\n                            issued by federal departments and agencies for the purpose of gaining\n                            physical access to federally controlled facilities and logical access to federally\n                            controlled information systems.\n\n                            On February 25, 2005, the National Institute of Standards and Technology\n                            (NIST) promulgated Federal Information Processing Standards (FIPS) 201,\n                            Personal Identity Verification (PIV) of Federal Employees and Contractors,\n                            to satisfy the Department of Commerce\xe2\x80\x99s HSPD-12 requirement. FIPS 201\n                            establishes the standard for secure and reliable forms of identification cards,\n                            performing background checks of government employees and contractors, and\n                            issuing identification cards used for entering government facilities and for\n                            accessing information systems. See Appendix C for an example of the front\n                            of a PIV card.\n\n                            FIPS 201 is composed of two parts, PIV-I and PIV-II. PIV-I describes the\n                            minimum requirements for a federal personal identification system that meets\n                            the control and security objectives of HSPD-12, including personal identity\n                            proofing, registration, and issuance. PIV-II provides detailed technical\n                            specifications to support the control and security objectives in PIV-I, as well\n                            as interoperability of PIV cards and systems among federal departments and\n                            agencies.1 The physical card characteristics, storage media, and data elements\n                            that make up identity credentials are specified in this standard. In addition,\n                            NIST has issued FIPS 201 companion publications that specify the interfaces\n                            and card architecture for storing and retrieving identity credentials from a\n1\n PIV card is a smart card that contains stored identity credentials (e.g., a photograph, digital certificate and\ncryptographic keys, or digitized fingerprint representations) that is issued to an individual whose identity of the\ncardholder can be verified against the stored credentials by another person or through an automated process.\n\n\n    Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                           Page 2\n\x0c                            smart card, the requirements for collecting and formatting biometric\n                            information, PIV card application, and the interoperability between the card\n                            and reader.2\n\n                            The Office of Management and Budget (OMB) is responsible for ensuring\n                            that agencies comply with HSPD-12. OMB issued memorandum M-05-24 on\n                            August 5, 2005 with instructions to federal agencies for implementing\n                            HSPD-12 and FIPS 201. According to OMB\xe2\x80\x99s M-05-04 instructions, the\n                            issuing of compliant cards to employees and contractors will be achieved in\n                            two phases with established milestones for each phase. Also included in its\n                            instructions to agencies, OMB emphasized that successful implementation of\n                            HSPD-12 and FIPS 201 would increase the security of federal facilities and\n                            information systems. OMB warned that inconsistent agency approaches to\n                            facility security and computer security are inefficient and costly, and increase\n                            risks to the federal government. Subsequently, OMB issued three memoranda\n                            with additional instructions to agencies on implementing HSPD-12.3 Figure 1\n                            shows HSPD-12 implementation milestones.\n\n                            Figure 1: HSPD-12 Implementation Milestones\n\n                                    Date                                   Requirements\n                             October 27, 2005            Comply with PIV-I.\n                             October 27, 2006            Comply with PIV-II.\n                             October 27, 2007            Verify and/or complete background investigations\n                                                         and issue PIV cards for all employees with less\n                                                         than 15 years of government service.\n                             October 27, 2008            Verify and/or complete background investigations\n                                                         and issue PIV cards for all employees with more\n                                                         than 15 years of government service.\n\n                            The General Services Administration (GSA), in collaboration with the Federal\n                            Identity Credentialing Committee, the Federal Public Key Infrastructure\n                            Policy Authority, OMB, and the Smart Card Interagency Advisory Board\n                            developed the Federal Identity Management Handbook. This handbook aids\n                            agencies in implementing HSPD-12 and FIPS 201, and includes guidance on\n                            specific courses of action, schedule requirements, acquisition planning,\n                            migration planning, lessons learned, and case studies. In addition, GSA\n                            issued a memorandum on August 10, 2005 to agency officials that specified\n                            standardized procedures for acquiring FIPS 201-compliant commercial\n\n2\n  Smart card is a tamper-resistant security device, which is about the size of a credit card, and relies on an integrated\n\ncircuit chip for information storage and processing. \n\n3\n  M-06-06, Sample Privacy Documents for Agency Implementation of Homeland Security Presidential Directive \n\n(HSPD) 12, February 17, 2006; M-06-18, Acquisition of Products and Services for Implementation of HSPD-12,\n\nJune 30, 2006; and M-07-06, Validating and Monitoring Agency Issuance of Personal Identity Verification Credentials, \n\nJanuary 11, 2007. \n\n\n\n    Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                           Page 3\n\x0c                            products that have passed NIST\xe2\x80\x99s conformance tests. According to the GSA\n                            guidance, agencies are required to use standardized acquisition procedures\n                            when implementing their FIPS 201 compliant systems. In addition, GSA also\n                            offers a shared services solution to federal agencies that includes enrollment,\n                            identity management, card management, card production (printing and\n                            personalization), public key infrastructure, and issuance. Background\n                            investigations, system integration, physical access control systems, and logical\n                            access control systems remain the responsibility of the participating agencies.\n\n                            The Office of Security leads the department-wide program for implementation\n                            of HSPD-12. The Office of the Chief Information Officer (OCIO) is\n                            responsible for the technical aspects of the program. The DHS Office of\n                            Security established the headquarters HSPD-12 Program Management Office\n                            (PMO) in March 2006, with the mission to implement HSPD-12 at\n                            headquarters and to guide component implementation efforts across DHS.4\n                            The PMO consists of a program manager and six staff (one federal employee,\n                            five contractors). The PMO is responsible for implementing a process to issue\n                            PIV cards to approximately 70,000 headquarters employees and contractors.\n                            The remaining eight components are responsible for issuing PIV cards to their\n                            own approximately 140,000 employees and contractors.5 According to the\n                            PMO program manager, the United States Coast Guard is exempted from the\n                            requirement to use the technical solution developed at headquarters, as it will\n                            issue Department of Defense\xe2\x80\x99s PIV cards.\n\nResults of Audit\n         Actions Taken To Implement HSPD-12\n                            DHS has taken several actions to implement HSPD-12 requirements. The\n                            PMO developed an implementation plan that details the objectives, priorities,\n                            parameters, and outputs to achieve its mission and enable DHS to comply\n                            with HSPD-12 requirements. The plan also details a schedule and outlines\n                            those actions that must take place in order to implement HSPD-12 at DHS\n                            headquarters. The PMO has worked collaboratively with the OCIO to\n                            develop requirements and policies, and to implement the technical solution to\n                            issue HSPD-12 compliant cards. In addition, the PMO is providing guidance\n                            and tools to help facilitate the components\xe2\x80\x99 implementation of HSPD-12. The\n\n4\n  For HSPD-12 implementation, DHS defines headquarters as the offices and components that are currently issued\nsecurity badges by the DHS Office of Security, such as Management, Science and Technology, United States Visitor and\nImmigrant Status Indicator Technology, and Office of Inspector General. The remaining eight components, Customs\nand Border Protection, Citizenship and Immigration Services, Federal Emergency Management Agency, Federal Law\nEnforcement Training Center, Immigration and Customs Enforcement, Transportation Security Administration, United\nStates Coast Guard, and United States Secret Service are responsible for implementing HSPD-12 at their components.\n5\n  It is reported in OMB\xe2\x80\x99s FY 2006 Report to Congress on Implementation of the Federal Information Security\nManagement Act of 2002 that DHS has 207,776 employees and contractors.\n\n\n    Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                           Page 4\n\x0c                        components are responsible for creating their own implementation plan based\n                        on their unique circumstances and will use DHS headquarters processes and\n                        its technical solution.\n\n                        According to the PMO\xe2\x80\x99s plan, DHS will implement HSPD-12 in three phases.\n                        Figure 2 graphically shows DHS\xe2\x80\x99 implementation approach.\n\n                            \xe2\x80\xa2 \t Phase I-DHS Headquarters Implementation At DHS headquarters,\n                                the PMO implements policies, procedures, and other supporting tasks,\n                                not included in the OCIO's HSPD-12 responsibilities, to comply with\n                                HSPD-12. This phase establishes the baseline from which lessons\n                                learned and best practices are developed for later phases. Phase I\n                                started in May 2006.\n                            \xe2\x80\xa2 \t Phase II-Component Rollout HSPD-12 rolls out to the components.\n                                The components assess their HSPD-12 requirements, develop, or\n                                update their policies and procedures, construct or select their PIV card\n                                issuance systems, and implement HSPD-12 solutions, enabling the\n                                department to achieve compliance. Phase II started in January 2007.\n                            \xe2\x80\xa2 \t Phase III-Legacy Cardholder Migration This final phase facilitates\n                                 the conversion of current employees and contractors from holding\n                                 existing DHS badges to receiving PIV-compliant badges. Phase III is\n                                 estimated to begin in December 2007.\n\n                        Figure 2: Phases of DHS\xe2\x80\x99 Implementation of HSPD-12\n\n                           Phase I                      Phase II                       Phase III\n\n\n                         DHS HQ                                                   Legacy Cardholder\n                                                   Component Rollout\n                       Implementation                                                 Migration\n\n\n                  Comply with HSPD-12 at          Rollout HQ HSPD-12           Convert legacy contractors\n                   the HQ level to develop      compliance framework to         and employees from the\n                   the baseline framework        components and guide         existing DHS badges to PIV\n                    for other components.       compliance across DHS.              compliant badges.\n\n\n\n                        DHS also took other actions:\n                            \xe2\x80\xa2 \t The PMO developed a Component Implementation Guidance Package,\n                                which includes the DHS Headquarters HSPD-12 Procedures\n                                Reference Book that documents the process to enroll applicants and\n                                issue PIV cards.\n                            \xe2\x80\xa2 \t The PMO prepared a privacy impact assessment, dated\n                                October 13, 2006, to detail what personally identifiable information,\n                                used for issuing credentials and meeting HSPD-12 requirements, is\n\nProgress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                       Page 5\n\x0c                                    being collected, why it is being collected, how the information will be\n                                    used and shared, how the information may be accessed, and how it will\n                                    be stored securely.\n                                \xe2\x80\xa2\t The PMO established an HSPD-12 Council, with representatives\n                                   selected by the Chief Security Officer from each component, to\n                                   facilitate the implementation of HSPD-12 throughout the department.\n                                \xe2\x80\xa2\t DHS\xe2\x80\x99 public key infrastructure has been cross-certified with the\n                                   Federal Bridge Certification Authority to ensure that all digital\n                                   certificates for the PIV cards are issued under the Federal Common\n                                   Policy.6\n                                \xe2\x80\xa2\t DHS provided its PIV card to GSA for testing, as required by OMB.\n                                   GSA verified that the card met FIPS 201 requirements.\n\n                           The completion of these tasks fulfills some of the HSPD-12 requirements.\n                           However, DHS is experiencing delays. More work remains to ensure that\n                           DHS is fully compliant with HSPD-12 and OMB-established timeframes and\n                           requirements for developing a technical solution and issuing PIV cards to its\n                           employees and contractors. See Figure 3 for OMB milestones and DHS\n                           timeline.\n\n                           Figure 3: OMB Milestones and DHS Timeline\n\n\n\n\n6\n  The public key infrastructure is a combination of products, services, facilities, policies and procedures, agreements, and\npeople that provide for and sustain secure interactions on open networks such as the Internet. The public key\ninfrastructure uses a security technique called Public Key Cryptography to authenticate users and data, protect the\nintegrity of transmitted data, and ensure the non-repudiation and confidentiality of data.\n\n\n     Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                          Page 6\n\x0c     Better Management of HSPD-12 Implementation Is Needed\n                        DHS has not effectively managed the implementation of its HSPD-12\n                        program to ensure that the department can meet all mandated milestones.\n                        DHS has not completed the actions needed to finish Phase I of its\n                        implementation plan and comply with PIV-I and PIV-II requirements.\n                        Specifically, DHS has not identified the requirements for the usage of PIV\n                        cards and determined its total costs to implement HSPD-12. In addition, DHS\n                        has not accredited its PIV-I process or its PIV card issuance service. Further,\n                        DHS has not provided its components with sufficient guidance for their\n                        individual implementation of HSPD-12, and has not complied with OMB\n                        implementation reporting instructions.\n\n                        DHS Is Behind In Its Implementation Schedule and May Not Meet OMB\n                        Milestones\n\n                        DHS\xe2\x80\x99 implementation schedule does not ensure that the department will be\n                        HSPD-12 compliant within OMB\xe2\x80\x99s established timeline. Federal agencies are\n                        required to phase in the issuance and use of PIV cards for all new employees\n                        and contractors by October 27, 2007, and complete the issuance of PIV cards\n                        to all employees by October 27, 2008. DHS is not scheduled to complete its\n                        HSPD-12 implementation until 2010, which is 2 years after the mandated\n                        deadline for all agencies, as stated in OMB memorandum M-05-04.\n\n                        PMO officials maintain in their implementation plan that DHS is transitioning\n                        from Phase I to Phase II. In order to complete the implementation of Phase I,\n                        DHS was to have accomplished key tasks, such as assess costs, initiate\n                        component support, bring the headquarters system to production readiness,\n                        and begin PIV card issuance at headquarters. However, DHS has completed\n                        only its initiation of component support, one of its four key tasks. The\n                        department is experiencing delays in developing a technical solution capable\n                        of interfacing with other existing external and internal DHS systems and is\n                        therefore unable to issue PIV cards to its employees and contractors. The\n                        PMO has reported to OMB that it has completed Phase I of its implementation\n                        plan.\n\n                        According to its Phase II implementation, DHS is scheduled to begin issuing\n                        PIV cards to new headquarters employees and contractors by December 2007,\n                        and components are to begin to issue PIV cards to their new employees and\n                        contractors by January 2008. DHS plans to use a contractor to develop its\n                        production system. However, as of July 2007, no award has been made. For\n                        Phase III implementation, DHS and its components are scheduled to begin\n                        issuing PIV cards to current employees and contractors in July 2009 and\n                        ending September 2010.\n\n\n\nProgress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                       Page 7\n\x0c                        According to program officials, OMB concurred with DHS\xe2\x80\x99 extended\n                        timetable for HSPD-12 implementation. OMB\xe2\x80\x99s Deputy General Counsel\n                        confirmed that DHS had been granted an extended timetable to implement\n                        HSPD-12. Specifically, OMB approved the following extended milestones\n                        for DHS:\n                            \xe2\x80\xa2 \t Begin issuing PIV cards to employees and contractors in \n\n                                December 2007. \n\n                            \xe2\x80\xa2 \t Complete issuing PIV cards to 80% of the workforce by \n\n                                December 2008. \n\n                            \xe2\x80\xa2 \t Complete issuing PIV cards to the remaining 20% of the workforce by\n                                December 2010.\n\n                        Even with OMB\xe2\x80\x99s extension, the department\xe2\x80\x99s current implementation\n                        schedule does not guarantee that DHS and its components will meet OMB\xe2\x80\x99s\n                        milestones to issue PIV cards to 80% of its workforce (approximately 168,000\n                        employees and contractors) by December 2008. Based on its implementation\n                        plan, DHS and its components only plan to issue PIV cards to new employees\n                        and contractors in 2008 and are not scheduled to issue PIV cards to the\n                        majority of its workforce (current employees and contractors) until July 2009.\n                        Furthermore, DHS will not have the capability to issue PIV cards to its\n                        employees and contractors until its new production system becomes\n                        operational. According to program officials, the new technical solution is\n                        planned to be operational in December 2007.\n\n                        Requirements for PIV Card Usage Have Not Been Determined\n\n                        DHS and its components have not identified to what extent PIV cards will be\n                        used or required in order to access facilities or information systems\n                        throughout the department. DHS has not determined which facilities will\n                        require PIV cards in order to gain physical access, whether PIV cards will be\n                        used for accessing information systems, and which systems will be affected.\n\n                        The determination as to the usage of PIV cards is important because the cards\n                        will be personalized in order to perform identity verification both by people\n                        and by automated systems. People can use the physical card for visual\n                        comparisons and automated systems can use the electronically stored data on\n                        the card to conduct automated identity verification. Without determination of\n                        usage, DHS may have to upgrade its infrastructure; procure additional\n                        equipment, for example, card readers; or make modifications to the PIV cards\n                        to include additional information after the cards are issued.\n\n\n\n\nProgress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                       Page 8\n\x0c                        Costs to Implement HSPD-12 Have Not Been Assessed\n\n                        To comply with PIV-II, agencies were required to demonstrate their ability to\n                        issue PIV cards by October 27, 2006. By this date, agencies were further\n                        tasked to begin to issue and require the use of PIV cards for all new\n                        employees and contractors. To assist agencies in meeting these timeframes,\n                        GSA established a shared services solution, which all federal agencies could\n                        use that includes registering employees and contractors, verifying their\n                        identities, and producing and issuing PIV cards.\n\n                        GSA provides a complete solution for the enrollment, production, finalization,\n                        and on-going maintenance of HSPD-12 compliant credentials. Participating\n                        agencies who sign up with GSA receive an identity account for each\n                        cardholder with a secure HSPD-12 compliant credential; four public key\n                        infrastructure certificates; two fingerprint templates; secure backend\n                        cardholder and card management system; a nation-wide network of fixed and\n                        mobile enrollment stations shared by all participating agencies; help desk and\n                        maintenance support for the credential; and secure entry of personnel into the\n                        system. Additionally, GSA will provide all acquisition, financial and program\n                        management services. GSA is also responsible for the security and\n                        accreditation of the system.\n\n                        GSA had originally estimated that it would charge federal agencies $110 (plus\n                        an annual maintenance fee of $52) to issue a PIV card. GSA revised its\n                        estimate in June 2007 and lowered the cost to $82 per PIV card (plus an\n                        annual maintenance fee of $36). Using GSA\xe2\x80\x99s revised estimate, it would cost\n                        DHS approximately $17 million to issue PIV cards to its roughly 210,000\n                        employees and contractors with an annual maintenance fee of $7.5 million.\n\n                        DHS decided not to use the GSA\xe2\x80\x99s solution. DHS envisioned interfacing\n                        three of its existing systems, which supported current initiatives in identity\n                        management, public key infrastructure, and the use of smart cards as its\n                        technical HSPD-12 solution. DHS officials believed the department could\n                        enhance, upgrade, and interface with these existing systems to issue PIV cards\n                        at a cost lower than GSA\xe2\x80\x99s shared services solution. However, DHS did not\n                        perform a cost benefit analysis to support its decision not to use GSA\xe2\x80\x99s\n                        solution.\n\n                        As of May 2007, DHS has not developed cost projections for implementing\n                        HSPD-12 at its headquarters and components. The PMO has budgeted\n                        approximately $1.5 million to implement HSPD-12 at the headquarters for\n                        fiscal year 2008 to cover PMO salaries, contract services, and the purchase of\n                        PIV cards. The remaining eight components have yet to develop their own\n                        cost estimates or budgets necessary to implement HSPD-12.\n\n\n\nProgress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                       Page 9\n\x0c                        Without developing a total estimate, DHS does not know the most cost\n                        effective solution and places in jeopardy its implementation of HSPD-12.\n                        Further, DHS has not determined whether it has allocated enough resources to\n                        issue PIV cards to its employees and contractors. For example, DHS and its\n                        components will be required to purchase the hardware and software necessary\n                        to issue PIV cards. Furthermore, DHS may have to allocate additional\n                        resources to replace existing card readers with newer models for physical\n                        access and upgrade network infrastructure for accessing to information\n                        systems that are compatible with the PIV cards. Since the planned use of PIV\n                        cards throughout the department has not been determined, DHS does not\n                        know how many new card readers are needed to replace existing equipment\n                        and cannot assess the complete cost to implement HSPD-12.\n\n                        Agency Head Has Not Accredited PIV-I Processes\n\n                        The Secretary has not accredited the two PIV-I processes. Agencies were\n                        required to comply by October 27, 2005, with the first HSPD-12 milestone\n                        (PIV-I).\n\n                        To satisfy the PIV-I milestone, agency heads were required to adopt and\n                        accredit (1) an identity proofing and registration process, and (2) a PIV card\n                        issuance and maintenance process. The identity proofing and registration\n                        process refers to the collecting, storing, and maintaining of all information and\n                        documentation that is required for verifying and assuring the applicant\xe2\x80\x99s\n                        identity. The card issuance and maintenance process should include\n                        standardized specifications for printing photographs, names, and other\n                        information on PIV cards; loading relevant electronic applications into a\n                        card\xe2\x80\x99s memory; capturing and storing biometric and other data; issuing and\n                        distributing digital certificates; and managing and disseminating certificate\n                        status information.\n\n                        According to a PMO official, while the Secretary did not accredit the two\n                        processes by October 27, 2005, the Deputy Chief Security Officer accredited\n                        DHS\xe2\x80\x99 PIV Card Issuer (PCI) service in October 2006. The PMO official said\n                        that PCI service accreditation satisfied FIPS 201 PIV-I requirements. While\n                        the management and performance of the accreditation activity may be\n                        delegated, NIST emphasized that agency heads are required to approve\n                        FIPS 201 PIV-I accreditation personally. Further, there exist serious\n                        shortcomings in the accreditation of PCI services as reported below.\n\n                        PCI Services Must Be Re-accredited\n\n                        DHS did not adequately assess the capabilities and reliability, along with other\n                        required and desired attributes, of its PCI services in fulfilling FIPS 201\n                        requirements during the certification and accreditation process. A PCI service\n\n\nProgress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                      Page 10\n\x0c                            is an authorized PIV Card issuing organization that procures FIPS 201\n                            compliant blank cards, personalizes the cards with the identity credentials of\n                            the authorized subjects, and delivers the personalized cards to the authorized\n                            applicants. DHS must re-accredit its headquarters PCI services once it has\n                            fully developed an operational system with the capability to issue PIV cards.\n\n                            DHS accredited its headquarters PCI services on October 19, 2006. The\n                            certification agent concluded that after assessing the required and desired\n                            attributes, the DHS PCI had demonstrated that the DHS PIV issuance system\n                            adequately met the intent and content of NIST Special Publication\n                            (SP) 800-79.7 However, when the PCI services were accredited, DHS did not\n                            have an operational system that could produce PIV cards in a production\n                            environment, as DHS was still in the process of developing its technical\n                            solution, called Identification and Credential Issuing Station and System\n                            (ICISS). Furthermore, no stress testing was performed on ICISS to evaluate\n                            whether the system had the capabilities to produce PIV cards in large\n                            quantities.\n\n                            In December 2006, after PCI accreditation, the ICISS development team\n                            determined that the system could not issue more than five PIV cards before\n                            crashing. This situation occurred because DHS accepted the certification\n                            agent\xe2\x80\x99s accreditation when it lacked a production system capable of producing\n                            PIV cards in large quantity.\n\n                            HSPD-12 specifies that the reliability of a PCI be officially accredited before\n                            PIV cards can be issued. NIST requires that the accreditation package\n                            document the results of the certification phase and provides the Designated\n                            Accreditation Authority with the essential information needed to make a\n                            credible, risk-based decision on whether to authorize operation of the PCI.\n                            The accreditation package should contain the following documents:\n                            (1) Operations Plan, (2) Assessment Report, and (3) Corrective Action Plan.\n                            The Operations Plan should further provide supporting material and identity\n                            management-related documents, such as the PCI\xe2\x80\x99s privacy policy for\n                            applicants, and descriptions of procedures for assuring reliable operation.\n\n                            Obtaining adequate and reliable equipment to support the services provided by\n                            the PCI is fundamental to success of its operations. Accreditation of a PCI is\n                            the official management decision of the Designated Accreditation Authority to\n                            authorize operation of a PCI after determining that the PCI\xe2\x80\x99s reliability has\n\n\n7\n  To assess the reliability of a PCI during the accreditation process, NIST published SP 800-79 with a set of guidelines\nfor federal agencies that issue or prepare to issue FIPS 201 compliant PIV cards to their employees and/or contractors.\nThese guidelines describe a set of attributes that should be exhibited by a PCI in order to be accredited. NIST\nrecommends agencies use these guidelines for assessing the reliability of any organization providing its PCI services.\n\n\n\n    Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                          Page 11\n\x0c                            satisfactorily been established through appropriate assessment and\n                            certification processes.\n\n                            Reliability is the primary attribute to be exhibited and accredited in a PCI and\n                            is the characteristic of an organization that requires functions to be performed\n                            and services provided as expected, and that this expectation will continue in\n                            the future. NIST recommends that a PCI\xe2\x80\x99s reliability be evaluated and\n                            established by assessing whether the PCI is knowledgeable, capable,\n                            accountable, available, legal, compliant, well managed, trustworthy, and\n                            adequately supported. If one or more of the required attributes are not present\n                            or not expected to continue in the future, then accreditation should be\n                            postponed or denied.\n\n                            Component Implementation Guidance Needs to be Updated\n\n                            In February 2007, DHS developed a Component Implementation Guidance\n                            Package (Guidance Package) to provide instructions for components to\n                            implement HSPD-12. The Guidance Package contains DHS\xe2\x80\x99 HSPD-12\n                            policy, FIPS 201, DHS HQ HSPD-12 Procedures Reference Book (Reference\n                            Book), and other NIST special publications. In preparing the package, DHS\n                            omitted essential information needed by the components to obtain operational\n                            and technical compliance with HSPD-12. For example, the guidance package\n                            does not define PIV card specifications, PIV card and middleware\n                            conformance testing, and PIV reader specifications.8\n\n                            Furthermore, while the Reference Book contains detailed instructions on\n                            issuing PIV cards to new employees and contractors, it does not contain\n                            procedures relating to current employees and contractors. We also identified\n                            the following deficiencies in the Reference Book that DHS must revise to\n                            ensure the successful implementation of HSPD-12:\n\n                            \xe2\x80\xa2 \t The timeframe for a PIV cardholder to notify a supervisor and security\n                                officer of a lost, stolen, or compromised PIV card contradicts with a\n                                FIPS 201 requirement. The Reference Book requires PIV cardholders to\n                                report lost, stolen, or compromised PIV card within 24 hours. FIPS 201\n                                requires PIV cardholders to report lost, stolen, or compromised PIV card\n                                within 18 hours.\n                            \xe2\x80\xa2 \t The length of personal identification numbers (PIN) and emergency\n                                notification procedures to inform supervisors and security in the event of\n\n8\n SP 800-73-1, Interfaces for Personal Identity Verifications, March 2006; SP 800-76-1, Biometric Data Specification for\nPersonal Identification Verification, January 2007, and SP 800-78, Cryptographic Algorithms and Key Sizes for\nPersonal Identity Verification, April 2005; SP 800-85A, PIV Card Application and Middleware Interface Test\nGuidelines (SP 800-73 compliance), April 2006, SP 800-85B, PIV Data Model Conformance Test Guidelines, July 2006,\nand SP 800-96, PIV Card/Reader Interoperability Guidelines, September 2006.\n\n\n    Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                          Page 12\n\x0c                                lost, damaged, and compromised PIV cards have not been established.\n                                The Reference Book only advises applicants to choose a PIN carefully but\n                                does not specify the length of the PIN, and does not contain emergency\n                                notification procedures.\n                            \xe2\x80\xa2 \t Separation of duties needs to be established to ensure that one person\n                                cannot issue a PIV card to a person not entitled to the card or issue a card\n                                with incorrect information. The Reference Book allows the same person\n                                to fill the Access Control Officer specialist, enrollment officer, and PIV\n                                issuer roles. FIPS 201 requires that the roles of PIV Applicant, Sponsor,\n                                Registrar, and Issuer are mutually exclusive and that no individual shall\n                                hold more than one of these roles in the identity proofing and registration\n                                process.\n                            \xe2\x80\xa2 \t Account lockout does not meet DHS requirements. The Reference Book\n                                allows cardholders ten attempts to gain logical access with their PIV card\n                                and PIN before the card is locked out. DHS 4300A Sensitive Systems\n                                Handbook requires that the user account should be locked out after three\n                                failed login attempts.\n\n                            Without adequate guidance from the PMO, there is little assurance that the\n                            implementation of HSPD-12 across the department will be successful and\n                            effective in securing DHS facilities and information systems.\n\n                            PIV Card Issuance Statistics Not Posted On Public Website\n\n                            OMB requires federal agencies to post on their public websites, beginning\n                            March 1, 2007, a quarterly status report on the total number of employees\n                            requiring PIV cards, and the number of PIV cards that have been issued to\n                            their employees, contractors, and visitors. OMB established this requirement\n                            in order to monitor agencies\xe2\x80\x99 progress in implementing HSPD-12.9\n\n                            Citing operational security concerns associated with posting such information\n                            on its public website, DHS drafted a letter to OMB listing its reasons not to\n                            comply with this requirement. As cited in DHS\xe2\x80\x99 letter, revealing the total\n                            number of employees requiring PIV cards poses security vulnerability when\n                            compared against the total number of PIV cards issued. Furthermore,\n                            according to DHS, the public release of this information could reveal DHS\xe2\x80\x99\n                            HSPD-12 readiness and may result in data mining by individuals attempting\n                            to identify employees at agencies that are not compliant, or have not fully\n                            implemented HSPD-12 requirements. However, other federal agencies have\n                            posted this information to their websites, including the Agriculture\n                            Department, Commerce Department, Defense Department, Energy\n\n9\n OMB M-07-06, Validating and Monitoring Agency Issuance of Personal Identity Verification Credentials, dated\nJanuary 11, 2007.\n\n\n    Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                          Page 13\n\x0c                        Department, Justice Department, State Department, Transportation\n                        Department, Treasury Department, and Veterans Affairs Department. OMB\xe2\x80\x99s\n                        Deputy General Counsel said that DHS has not formally voiced any concerns\n                        for not complying with this reporting requirement.\n\n     DHS Is Not Ready to Issue HSPD-12 Compliant Cards\n                        DHS does not have a certified and accredited operational system to support\n                        the implementation of HSPD-12. Specifically, DHS has not acquired the\n                        capability to issue PIV cards to its headquarters employees and contractors,\n                        and bring its system to production readiness.\n\n                        PMO Needs to Bring Headquarters System to Production Readiness\n\n                        DHS does not have a production system having the capability to support the\n                        implementation of HSPD-12 by issuing PIV cards to its employees and\n                        contractors. Without a viable system, DHS cannot meet OMB\xe2\x80\x99s milestones\n                        and ultimately improve physical and logical security at its facilities and for its\n                        information systems.\n\n                        In June 2006, DHS tasked a contractor to upgrade and enhance the ICISS,\n                        develop interfaces to existing HSPD-12 preproduction systems, and perform\n                        work to certify and accredit ICISS. During a functional test in\n                        December 2006, DHS determined that ICISS could not perform all of the\n                        system requirements and could not interface with other existing external and\n                        internal DHS systems. In addition, the system crashed after producing five\n                        PIV cards. No stress testing had been performed to determine the system's\n                        capacity and whether ICISS would be able to support DHS\xe2\x80\x99 workload.\n                        Furthermore, ICISS could not accept all identity documents that are listed in\n                        OMB Form I-9, which DHS accepts as evidence to verify applicants\xe2\x80\x99\n                        identities. See Appendix D for a list of OMB acceptable documents.\n\n                        Due to the technical issues identified with ICISS, DHS officials are in the\n                        process of issuing a new contract. The new contract will task the contractor to\n                        deliver a new technical solution that will provide an end-to-end PIV solution,\n                        including required interfaces. According to the PMO\xe2\x80\x99s April 20, 2007\n                        implementation schedule, the headquarters system would be production ready\n                        by July 2007 and will begin issuing PIV cards to new headquarters employees\n                        and contractors by December 2007. As of July 2007, no contract had been let.\n                        Nonetheless, DHS officials expect to have a new technical solution\n                        operational by the end of 2007, 6 months behind its implementation schedule.\n\n\n\n\nProgress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                      Page 14\n\x0c                        Certification of ICISS Was Inadequate and Not Independent\n\n                        The certification of ICISS was inadequately performed and the certification\n                        agent was not independent of the development team. The goal established by\n                        DHS was to have ICISS certified and accredited by September 30, 2006.\n\n                        The contractor who developed ICISS was requested, as certification agent, to\n                        conduct security testing to evaluate the effectiveness of controls implemented.\n                        The certification agent is an individual, group, or organization responsible for\n                        conducting a security certification, or comprehensive assessment of the\n                        controls implemented on an information system to determine whether the\n                        controls are implemented correctly, operating as intended, and producing the\n                        desired outcome with respect to meeting the security requirements for the\n                        system. The certification agent also provides recommended corrective actions\n                        to reduce or eliminate vulnerabilities in the information system. Furthermore,\n                        prior to initiating the security assessment activities that are a part of the\n                        certification process, the certification agent also provides an independent\n                        assessment of the system security plan to ensure the plan provides a set of\n                        security controls for the information system that is adequate to meet all\n                        applicable security requirements.\n\n                        The effectiveness of the controls implemented on ICISS and other\n                        interconnected systems was not evaluated in a production environment.\n                        Security testing was performed only in the test environment. In addition, the\n                        contractor was tasked to prepare security documents, such as the system\n                        security plan, risk assessment, and system test and evaluation plan, to support\n                        the accreditation decision. When ICISS was accredited with an authority to\n                        operate for a period of 1 year, on October 20, 2006, the system was still in\n                        development and interfaces with other systems that are required to perform\n                        fingerprint checks and control PIV cardholders\xe2\x80\x99 access to facilities had not\n                        been established.\n\n                        The information and supporting evidence needed for security accreditation is\n                        developed during a detailed security review of an information system,\n                        typically referred to as security certification. Security certification is a\n                        comprehensive assessment of the management, operational, and technical\n                        security controls in an information system, made in support of security\n                        accreditation, to determine the extent to which the controls are implemented\n                        correctly, operating as intended, and producing the desired outcome with\n                        respect to meeting the security requirements for the system.\n\n                        Security accreditation is the official management decision given by a senior\n                        agency official to authorize operation of an information system and to\n                        explicitly accept the risk to agency operations, agency assets, or individuals\n                        based on the implementation of an agreed-upon set of security controls. By\n\n\nProgress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                      Page 15\n\x0c                        accrediting an information system, an agency official accepts responsibility\n                        for the security of the system and is fully accountable for any adverse impacts\n                        to the agency if a breach of security occurs. Without an independent and\n                        thorough assessment of the system, the accreditation official was not provided\n                        with the most complete, accurate, and trustworthy information possible. The\n                        security status of the information system is needed in order to make timely,\n                        credible, risk-based decisions on whether to authorize operation of the system.\n\n                        To preserve the impartial and unbiased nature of the security certification, the\n                        certification agent should be independent from the persons directly\n                        responsible for the development of the information system and the day-to-day\n                        operation of the system. NIST recommends that the certification agent be\n                        independent of those individuals responsible for correcting security\n                        deficiencies identified during the security certification. When the potential\n                        agency-level impact of the system is moderate or high, certification agent\n                        independence is needed and justified.\n\n              Recommendations\n                        We recommend that the Under Secretary for Management direct the DHS\n                        HSPD-12 PMO to:\n\n                        Recommendation #1: Evaluate DHS\xe2\x80\x99 implementation plan and take\n                        necessary steps to include the identification of additional resources to ensure\n                        that milestones are met or exceeded and that further delays are avoided.\n\n                        Recommendation #2: Develop a department-wide cost estimate to ensure the\n                        determination of the most cost effective technical solution and also ensure that\n                        sufficient resources are allocated to implement HSPD-12.\n\n                        Recommendation #3: Work with all DHS components to identify the\n                        facilities access points and information systems where the PIV cards will be\n                        required.\n\n                        Recommendation #4: Ensure that the agency head accredits the PIV-I\n                        processes. In addition, the DHS PMO should re-accredit the headquarters PCI\n                        services after the PIV system becomes operational and supporting\n                        documentation is revised to include all required information.\n\n                        Recommendation #5: Revise component guidance to include procedures for\n                        issuing PIV cards, including adequate separation of duties, in compliance with\n                        FIPS 201 and DHS requirements.\n\n                        Recommendation #6: Perform the certification and accreditation of the\n                        information systems used to implement HSPD-12 and FIPS 201 in accordance\n\n\nProgress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                      Page 16\n\x0c                        with applicable NIST and DHS guidance. In addition, the HSPD-12 PMO\n                        should provide agency officials with the most accurate information to make\n                        credible, risk-based decisions on whether to authorize a system to operate.\n\n                        Recommendation #7: Ensure that OMB reporting statistics are posted on\n                        DHS\xe2\x80\x99 website.\n\n\n              Management Comments and OIG Analysis\n                        We obtained written comments on a draft of this report from the Under\n                        Secretary for Management. Generally, the Under Secretary agreed with the\n                        report\xe2\x80\x99s findings and recommendations. Where appropriate, we made changes\n                        to the body of the report to address the Under Secretary\xe2\x80\x99s comments. We\n                        have included a copy of the comments in its entirety as Appendix B.\n\n                        DHS concurred with recommendation 1. The PMO continues to evaluate its\n                        implementation plan to promote a balanced approach for resource allocation.\n                        On August 2, 2007, a request for contract proposal was issued to procure an\n                        identity management system and credentialing issuance and maintenance\n                        support. When the contract is awarded, it will provide a means to deploy a\n                        unified system across the department for issuing a secure and tamper-proof\n                        smart card that allows interoperable access to DHS facilities and information\n                        systems.\n\n                        We agree that the steps the PMO is taking, and plans to take, begin to satisfy\n                        this recommendation. However, the PMO did not fully address our\n                        recommendation to evaluate its implementation plan to ensure that milestones\n                        are met and future delays are avoided.\n\n                        DHS concurred with recommendation 2. In May 2007, the PMO completed\n                        an independent government cost estimate, as a baseline, to evaluate the cost of\n                        implementing HSPD-12 throughout the department. However, each\n                        component has the responsibility for identifying and budgeting resources to\n                        implement its HSPD-12 efforts. The PMO will continue to work with the\n                        components to develop a proper budget estimate to implement HSPD-12.\n\n                        We agree that the steps the PMO has taken, and plans to take, satisfy this\n                        recommendation.\n\n                        DHS concurred with recommendation 3. The PMO has requested that the\n                        components identify their current and future requirements for facilities,\n                        physical and logical access controls, and provide this information to the PMO.\n\n                        We agree that the steps the PMO plans to take satisfy this recommendation.\n\n\nProgress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                      Page 17\n\x0c                        DHS concurred with recommendation 4. Once the new technical solution is\n                        in place, the PMO will re-certify and accredit DHS\xe2\x80\x99 PCI service to ensure that\n                        there is complete integration between the operational procedures and the\n                        technical capability, and DHS remains in compliance with FIPS 201 and other\n                        applicable NIST special publications. However, the PMO continues to\n                        maintain that when the Deputy Chief Security Officer accredited DHS\xe2\x80\x99 PCI\n                        service in October 2006, it satisfied FIPS 201 PIV-I requirements.\n\n                        We agree that the steps the PMO plans to take begin to satisfy this\n                        recommendation. However, we maintain that the agency head should accredit\n                        the PIV-I processes. FIPS 201, which is compulsory and binding for federal\n                        agencies, requires agency heads to accredit the processes personally.\n\n                        DHS concurred with recommendation 5. The PMO has established the\n                        required separation of duties in the Reference Book.\n\n                        We agree that the steps the PMO has taken begin to satisfy this\n                        recommendation. However, the PMO did not fully address our\n                        recommendation to include procedures in the Reference Book on issuing PIV\n                        cards to current employees and contractors, notifying supervisor and security\n                        office within 18 hours in the event of a lost, stolen, or compromised PIV card,\n                        specifying the length of PIN, and ensuring that account lockout comply with\n                        DHS policy.\n\n                        DHS concurred with recommendation 6. The PMO plans to obtain a new\n                        certification and accreditation of the information system used to support\n                        HSPD-12 at DHS headquarters, as part of the process to implement a new\n                        technical solution.\n\n                        We agree that the steps DHS plans to take satisfy this recommendation.\n\n                        DHS did not concur with recommendation 7. The Chief Security Officer\n                        determined that revealing the total number of employees requiring and\n                        carrying PIV cards is not in the best interest of national security. However,\n                        the PMO will provide these statistics to OMB using a method other than a\n                        public website.\n\n                        We maintain that DHS should comply with OMB reporting instructions and\n                        post its HSPD-12 issuance statistics on its website.\n\n\n\n\nProgress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                      Page 18\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\n                          Our objective was to determine whether DHS has effectively managed the\n                          implementation of HSPD-12. We determined whether DHS\xe2\x80\x99: (1) HSPD-12\n                          implementation strategy plan is adequate; (2) policies and procedures to\n                          implement HSPD-12 requirements are adequate; and (3) security controls\n                          implemented to protect the privacy of personal data collected and processed\n                          by HSPD-12 systems are effective.\n\n                          To accomplish our audit, we interviewed selected DHS personnel responsible\n                          for implementing HSPD-12 requirements. We reviewed the implementation\n                          plan, policies, and procedures developed to implement HSPD-12 requirements\n                          for compliance with applicable OMB and NIST guidance. We also reviewed\n                          selected security documents to evaluate whether security controls were\n                          implemented on ICISS to protect the privacy of personal data. In addition, we\n                          contacted OMB officials to obtain clarifications on their implementation\n                          instructions and feedback on DHS submissions.\n\n                          We did not evaluate DHS\xe2\x80\x99 identity proofing and registration process and PIV\n                          card issuance and maintenance process since the department is not issuing\n                          PIV cards. In addition, since the department has not implemented a system to\n                          produce PIV cards, we could not determine if security controls have been\n                          adequately implemented to protect the privacy of personal data collected and\n                          processed.\n\n                          We conducted our audit between April 2007 and June 2007 under the\n                          authority of the Inspector General Act of 1978, as amended, and according to\n                          generally accepted government auditing standards. Major OIG contributors to\n                          the audit are identified in Appendix E.\n\n                          The principal OIG points of contact for the audit are Frank W. Deffer,\n                          Assistant Inspector General, IT Audits at (202) 254-4100 and\n                          Edward G. Coleman, Director, Information Security Audit Division at\n                          (202) 254-5444.\n\n\n\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                        Page 19\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                        Page 20\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                        Page 21\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                        Page 22\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                        Page 23\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                        Page 24\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                        Page 25\n\x0cAppendix C\nExample of a PIV card\n\n\n\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                        Page 26\n\x0cAppendix D\nOMB Form I-9 Lists of Acceptable Documents\n\n\n\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                        Page 27\n\x0cAppendix E\nMajor Contributors to this Report\n\n\n\n                          Information Security Audits Division\n\n                          Edward G. Coleman, Director\n                          Jeff Arman, Audit Manager\n                          Chiu-Tong Tsang, Audit Team Leader\n                          Charles Twitty, Auditor\n\n                          Steven Staats, Referencer\n\n\n\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                        Page 28\n\x0cAppendix F\nReport Distribution\n\n\n\n                          Department of Homeland Security\n\n                          Secretary\n                          Deputy Secretary\n                          Chief of Staff\n                          Deputy Chief of Staff\n                          General Counsel\n                          Executive Secretary\n                          Assistant Secretary for Policy\n                          Assistant Secretary for Public Affairs\n                          Assistant Secretary for Legislative Affairs\n                          Under Secretary for Management\n                          Chief Security Officer\n                          Chief Information Officer\n                          Deputy Chief Information Officer\n                          Chief Information Security Officer\n                          Director, Compliance and Oversight Program\n                          Director, DHS HSPD-12 Program Management Office\n                          Director, DHS GAO/OIG Liaison Office\n                          Chief Information Officer Audit Liaison\n                          Director, OIG Information Security Audit Division\n\n                          Office of Management and Budget\n\n                          Chief, Homeland Security Branch\n                          DHS OIG Budget Examiner\n\n                          Congress\n\n                          Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12 Requirements\n\n                                                        Page 29\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at: \n\n           DHS Office of Inspector General/MAIL STOP 2600, \n\n           Attention: Office of Investigations - Hotline, \n\n           245 Murray Drive, SW, Building 410, Washington, DC 20528. \n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"